A malicious campaign focused on stealing cryptocurrencies has been analyzed by security researchers in several consequent reports since 2020.
ViperSoftX Cryptocurrency Infostealer: Technical Overview
The malware, known as ViperSoftX, has been described initially by Fortinet, Colin Cowie, and now more details are available in a report by Avast. The malware is mostly distributed via popular cracked software, including Adobe Illustrator, Corel Video Studio, Microsoft Office, etc. These cracked programs are typically distributed over torrent websites.
ViperSoftX campaigns are increasingly comprehensive in the attempt to avoid detection and fly under the radar. The threat actors continually improve the strategies that distribute the malware in the wild. The malware itself is a multi-stage infostealer that can conceal itself as small PowerShell scripts “on a single line in the middle of otherwise innocent-looking large log files,” Avast noted. The end goal is to steal cryptocurrencies via clipboard swapping and fingerprinting the infected host. It can also download and execute additional arbitrary payloads and commands.
One of these additional payloads is an infostealer that comes in the form of a browser extension for Chromium-based browsers. Avast decided to call the extension VenomSoftX.
So, what are the capabilities of VenomSoftX? It enables full access to every page the victims visits while in the meantime carrying out man-in-the-browser attacks for the purpose of clipboard hijacking attacks. The extension swaps cryptocurrency addresses and tampers with API requests on popular crypto exchanges. Then, it steals credentials and clipboard content, alters crypto addresses on websites the victim visits, and reports these activities via MQTT to the command-and-control server.
In a nutshell, both ViperSoftX and VenomSoftX attempt to steal cryptocurrencies from infected computers, either by scanning local files or by using more sophisticated techniques. “The amounts in the wallets ViperSoftX and VenomSoftX redirect stolen cryptocurrencies to add up to about $130,421.56, as of November 8, 2022. This is just the amount sent to cryptocurrency wallets, and doesn’t include other possible profits from other activities,” the report added.